Category: Articles

Guest Post: Why Get Out of the Cavern?

InfoSec, like many professions, has a known echo chamber. The same people that joke about it are the same people that contribute to it the most.

The repetition appears in tweets, blog posts, podcasts, and at conferences.

  • How many panel discussions held at conferences actually have led to known change?
  • How many presentations and panels at conferences are identical or repeated at different conferences and every year?
  • How many times has someone posted/tweeted something only to be told that someone else spoke/wrote about the same thing months or even years ago?
  • How often are new speakers and actual new topics accepted and presented at conferences?

While the InfoSec space has a fairly large echo chamber, it is also a rather harsh space in which to work. Someone makes a mistake – tweets goes out, blogs are written, podcasts analyze it, and a TV reporter might conduct interviews about it. How often do people in the InfoSec space praise each other? While it might be difficult to recognize successes in InfoSec, there are far more companies that don’t make the news for negative reasons. I would like to think that the people securing the companies are doing something right or well. People that read this are probably thinking that any company not exposed for a compromise must be hiding or not sharing information. If a company is compromised and immediately takes the necessary steps to fix the problem without the company making headlines or killing a twitter feed, is that a bad thing?

The echo chamber makes me laugh at least once a day with the over use of acronyms and repeated “this doesn’t work, we need to change” mentality. As I watch my twitter feed roll by with a fair amount of negativity, I wonder where the leaders are with ideas on how to change and improve the InfoSec space. I believe that many of them are working quietly and implementing controls to keep their company or business safe. I would love hear from them, but suspect they feel safer keeping quiet.

421172_10151379471002604_882447348_nThe preceding blog post was originally posted by my lovely wife Keli Hay on her shiny new blog. Though new to blogging, she’s not new to critical opinions. You can read more of her posts at OutsideLookInfoSec and follow her on Twitter using

Andrew Dreams of Security

jiroYesterday, I watched a pretty incredible documentary, which you’ve undoubtedly heard of, called Jiro Dreams of Sushi. To sum it up, the documentary is about an 85-year-old sushi master Jiro Ono, his business in the basement of a Tokyo office building, and his relationship with his son and eventual heir, Yoshikazu.

In the movie, the concept of shokunin is introduced to the viewer. I couldn’t remember how the term was defined in the documentary so I took to the Internet. The best definition of shokunin I was able to find was by Tasio Odate:

“The Japanese word shokunin is defined by both Japanese and Japanese-English dictionaries as ‘craftsman’ or ‘artisan,’ but such a literal description does not fully express the deeper meaning. The Japanese apprentice is taught that shokunin means not only having technical skills, but also implies an attitude and social consciousness. … The shokunin has a social obligation to work his/her best for the general welfare of the people. This obligation is both spiritual and material, in that no matter what it is, the shokunin’s responsibility is to fulfill the requirement.” – Tasio Odate

Now how does this relate to security? Well think about this, how many of us can say that we’ve become ‘craftsmen’, ‘artisans’, or ‘shokunin’ in a single aspect of information security? I cannot think of a single friend, colleague, or acquaintance that I would consider shokunin. Please, don’t be offended by the previous statement. I know quite a few people who I consider very good at what they do, but none of them have the dedication to be shokunin.

I argue that the information security field does not have shokunin, nor will we ever if we keep flip-flopping between requiring individuals to be specialized one minute and have a wide breadth of skill the next. In the documentary, Jiro (or maybe it was Yoshikazu) mentions that an apprenticeship lasts for a minimum of 10 years. I, for one, have not worked a single job for more than 3.5 years, let alone 10. The dedication to become shokunin simply does not exist in our field.

When I posed the question to Twitter this morning, Andrew (@azwilsong) suggested that our field was simply not as mature as that of sushi. Kevin Johnson (@secureideas) agreed, but wondered what we could do to change it:
Screen Shot 2013-03-04 at 9.43.32 PMScreen Shot 2013-03-04 at 9.47.53 PMScreen Shot 2013-03-04 at 9.49.58 PM

So which is it? Serious passion to perfect a single skill or a wide variety of knowledge across various disciplines? Do we even need security shokunin? I’d be curious to hear what you think.

While you ponder your response, I’ll leave you with this. The documentary includes quite a bit of commentary from Japanese food critic Yamamoto, who lists “the five attributes of a great chef” – all of which, he asserts, Jiro possesses in spades. These attributes are:

  1. Take your work seriously.
  2. Aspire to improve.
  3. Maintain cleanliness.
  4. Be a better leader than a collaborator.
  5. Be passionate about your work.

How many of us strive to live by the above attributes…ALL of the above attributes? Time to look inward, methinks 🙂

Hire My Wife

My lovely wife, Keli Hay, is now a free agent and is available for all of your instructional design, training and technical writing needs. You can read all about her on her page but here are some highlights:

  • More than a decade of experience developing and delivering learning and written content
  • Experience in software, financial services, energy, life sciences, retail, defense, healthcare, and government verticals
  • Has designed, developed and lead learning deliverables for various clients
  • Helped developed technical documentation and courseware for internal, customer and partner training at Q1 Labs, an IBM company
  • Provided introductory and intermediate-level training on various Microsoft software packages
  • Provided technical editing expertise to the authors of the OSSEC Host-based Intrusion Detection Guide (Syngress, ISBN 9781597492409, March 2008)
  • Co-authored the Nokia Firewall, VPN, and IPSO Configuration Guide (Syngress, 9781597492867, November 2008)
  • Is a Certified Technical Trainer and has attended instructional techniques workshops offered by Friesen, Kaye and Associates
  • Has a diploma in Business Administration (Information Systems Major) from Algonquin College in Ottawa, Ontario, Canada
  • Served in various roles and responsibilities at Pulse Learning, Q1 Labs, Magma Communications, Nortel Networks, Computer Sciences Corporation and the Royal Canadian Mounted Police (RCMP)

Feel free to reach out to her directly via her page, Twitter (@klhay) or LinkedIn.

Scroll to top